While researching home security issues with IOT devices I came across an article about a smart lock that is used in many homes that has a major security vulnerability giving hackers access to your home. On a scale from one to ten where one is minimal security threat to ten being a major threat, I would say that a lock on the front door of your house that is pretty much useless would be a ten. Researching home security in IOT devices is pretty interesting because nowadays more and more people are turning to use IOT smart devices to power their homes. New IOT devices are coming out all of the time for home use but many of them have security flaws or vulnerabilities making them a threat to the safety of your home. In this document I will go over what this smart lock is, how hackers can bypass the locking mechanism, and what is being done to prevent this vulnerability from letting the bad guys into your home.
The smart lock that has this vulnerability is made by the company “KeyWe”. It is a lock that is to be used to secure a user’s front door, or main entry to the house. It can be locked or unlocked physically, using the application that comes with the lock, or through NFC on an armband (Marciniak, 2019). The smart lock uses encryption for the digital keys that it transmits back and forth from the physical device and the application that the user controls it from. There is even an option to have guest keys where the user can grant a guest access to the lock with the push of a button in the application. All and all this smart lock seems like a nice device to have in your house and provides great convenience in managing the security of your home. The problem is that a hacker can completely bypass all of the security measures of the device and application and gain access to the user’s house if they wanted to.
A Finland based security company named F-Secure has discovered the security vulnerability of the lock letting hackers and unauthorized users gain access to your house through sniffing packets being sent between the lock and the application. The problem is not with the encryption of the keys but the ability of the hacker to obtain the key before it is encrypted (Ng, 2019). F-Secure labs has a web page for this specific hack and it shows you the teardown of the device naming all of the components and how to actually execute the hack, and it looks too easy (Marciniak, 2019). With the use of a tool named Frida the security researchers could intercept all of the messages with information like name of the function being executed and which way the transmission was going e.g. From lock to application or application to lock. Turns out that intercepting messages that are being sent between the lock and the application for the lock all you have to do is use a piece of hardware that has Bluetooth capability and the commonly used Wireshark application (Marciniak, 2019). The hack is easy to execute if the hacker has the appropriate equipment which is relatively inexpensive and can be obtained by anyone. The smart lock can be unlocked by anyone that really wants to get through the door that it is attached to, so what is KeyWe doing about it?
According to the research I’ve done on this, the security engineers who discovered this hack at F-Secure Labs have disclosed this information to KeyWe right when they found out. Since the hack was disclosed to KeyWe, the company says that they have resolved the problem. The truth is that the problem cannot be fixed and that after speculation from security research engineers, KeyWe has advised the users of the lock that the security vulnerability cannot be fixed and that users should remove and replace the device with a newer smart lock which they say are now up to date. KeyWe says that they take the security in their devices very seriously and their customers security is top priority (Ng, 2019). Amazon has been notified about the flaw in the smart lock and declined to respond on whether they will still sell the product on their site. Of all of the security vulnerabilities that I have read about so far, this is a major one. There is not even any kind of fix for this vulnerability as users are advised to just remove the device from their homes. The company KeyWe will most definitely lose many customers because of this and their lack of security practices. Researchers at F-Secure Labs say that the hack was easy to figure out which shows a major lack of security testing by KeyWe on their products.
Having a door lock that grants entry to anyone who has a key whether it was gained properly or not is a major deficit in the world of cyber security. There are plenty of people out there who bought this lock only to find out some time later that anyone can get through the lock, even burglars. This shows that companies need to focus much more on the security of their devices, especially if these devices are going to operate in their customers homes. Computer security has been picking up as an industry lately and that is because of these types of flaws that security researchers are discovering every day. There are so many security vulnerabilities in IOT devices and that is one of the main reasons for the surge in computer security research. KeyWe should be ashamed of their software development process, especially their testing department to let such an obvious vulnerability happen in their smart lock. I personally will remember the name KeyWe and I will definitely never purchase any of their products.
Marciniak, K. (2019, December 11). Digital lockpicking – stealing keys to the kingdom. Retrieved from labs.f-secure.com: https://labs.f-secure.com/blog/digital-lockpicking-stealing-keys-to-the-kingdom
Ng, A. (2019, December 11). Smart lock has a security vulnerability that leaves homes open for attacks. Retrieved from cnet.com: https://www.cnet.com/news/smart-lock-has-a-security-vulnerability-that-leaves-homes-open-for-attacks/